German Police Shut Down Crimenetwork Reboot, Arrest Administrator in Spain

What happened

German authorities have arrested the operator of a rebooted version of Crimenetwork, the largest German online cybercrime marketplace, and seized the platform less than six months after the original was dismantled. A 35-year-old German national was arrested at his residence in Mallorca, Spain, by the Spanish National Police acting on a European arrest warrant, following a joint operation by Germany’s Federal Criminal Police Office, the Central Office for Combating Cybercrime, and the Public Prosecutor’s Office in Frankfurt am Main.

The original Crimenetwork operated from 2012 with 100,000 registered users before being seized in late 2024. Within days of that takedown, the suspect built an entirely new technical infrastructure under the same name. The rebooted platform offered similar illicit goods and services and rapidly attracted 22,000 users and over 100 vendors before being shut down. Evidence gathered during the operation indicates the new platform generated at least €3.6 million in revenue. Authorities seized approximately €194,000 in allegedly illicit assets and obtained substantial user and transaction data to support further investigations.

The arrested administrator faces charges under Section 127 of the German Criminal Code and German narcotics law. The operator of the original Crimenetwork marketplace was sentenced in March to seven years and ten months in prison and ordered to forfeit more than €10 million in criminal proceeds, though that ruling is not yet final.

Who is affected

The 22,000 users and over 100 vendors who registered on the rebooted platform face potential identification through the seized user and transaction data. Buyers and sellers of illicit goods, stolen data, and cybercrime services on the platform are the primary exposure population, though the data collected may also support investigations into downstream criminal activity enabled by the marketplace.

Why CISOs should care

The Crimenetwork reboot illustrates the resilience of cybercriminal marketplace infrastructure, but also the effectiveness of international law enforcement coordination in pursuing it. A new platform with 22,000 users and millions in revenue was stood up, operated, and shut down within months. The seized transaction and user data from the rebooted platform extends the investigative reach of the original takedown significantly.

For security leaders, the broader relevance is that darknet marketplaces facilitating the sale of stolen credentials, access to compromised systems, and cybercrime tools continue to reconstitute quickly after disruptions. Monitoring for organizational data appearing on these platforms, and treating their takedowns as opportunities for intelligence rather than final resolutions, remains a necessary part of threat intelligence programs.

3 practical actions

1. Monitor dark web intelligence feeds for organizational data that may have been listed on Crimenetwork before the seizure: Law enforcement now holds the user and transaction records from the rebooted platform. Organizations should review whether any credentials, access listings, or stolen data tied to their environment may have been sold through Crimenetwork and treat any such findings as indicators of active compromise requiring immediate investigation.
2. Treat marketplace seizure announcements as intelligence collection opportunities: When law enforcement takes down a cybercrime marketplace, the seized data often surfaces in subsequent prosecutions and disclosures. Track the Crimenetwork investigation for any published indicators, victim notifications, or breach disclosures that may emerge from the seized transaction records.
3. Brief security teams on the speed of darknet marketplace reconstitution: The Crimenetwork reboot was operational within days of the original takedown. Security programs that treat a marketplace takedown as a threat resolved underestimate how quickly the same services reappear under new infrastructure, often with the same vendor relationships and user base intact.

Also in the news today:

• ShinyHunters Defaces Canvas Login Portals at 330 Schools in Escalating Extortion Campaign
• Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware
• JDownloader Website Hacked to Replace Installers With Python RAT Malware
• Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware
• GM to Pay $12.75 Million in California Privacy Settlement Over Driver Data Sales
• Škoda Online Shop Security Incident Exposes Customer Data